PLATFORM SECURITY
Security & Data Protection
Your lending data is protected by enterprise-grade security controls, encryption in transit, and strict access management across every layer of the platform.
See it in action
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.3 with AES-256-GCM cipher suites, enforced via HSTS with preload. This is the same encryption standard used by major UK banks and financial institutions.
Authentication & Access Controls
Multiple layers of protection guard access to your account and data.
Bcrypt Password Hashing
Passwords are hashed using bcrypt with per-user salting. We never store plaintext passwords. Legacy accounts are automatically upgraded to bcrypt on next login.
Rate-Limited Authentication
Login attempts are rate-limited to 5 per IP address within a 5-minute window. Repeated failed attempts are blocked to prevent brute-force attacks.
Admin-Approved Registration
New accounts require manual approval by our team before access is granted. No one can self-register and access platform data without verification.
Session Management
JWT tokens with 8-hour expiry ensure sessions are time-limited. Tokens are signed with 256-bit cryptographic keys.
Data Ring-Fencing
Your proprietary loan book data, facility amounts, insurance details, and broker information are ring-fenced within your account and never directly visible to other platform users. Cross-lender intelligence is only shared in anonymised, aggregated form through network notifications.
Infrastructure Security
The platform runs on secured, UK-based infrastructure with hardened network and application-layer protections.
UK-Based Hosting
All data is stored and processed on servers located in the United Kingdom, ensuring compliance with UK data residency expectations.
Firewall Protection
Network-level firewall rules restrict access to only essential services (HTTPS). Database, application, and internal services are not exposed to the public internet.
Security Headers
Content Security Policy, Strict Transport Security (HSTS with preload), X-Frame-Options, and Permissions Policy headers protect against XSS, clickjacking, and content injection attacks.
CORS Restrictions
Cross-Origin Resource Sharing is restricted to authorised domains only. Third-party websites cannot make API requests to the platform.
Data Protection & Privacy
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. You have full rights to access, rectify, and erase your data.
Our full data processing practices are outlined in our Terms & Conditions.
Monitoring & Incident Response
Automated systems continuously monitor platform health, performance, and security.
Automated Health Checks
Daily automated monitoring of all services, databases, SSL certificates, disk usage, and data integrity with automatic recovery for common failures.
Login Auditing
All authentication events are logged, including successful logins and failed attempts, with IP-level tracking for security investigations.
Admin Alerts
Platform issues trigger automatic email notifications to the operations team, with fixes logged to the admin dashboard for full visibility.
Security Roadmap
We are committed to continuously improving our security posture. Planned enhancements include:
- →Multi-factor authentication (TOTP) for all accounts
- →SSO integration for enterprise lender teams
- →Encryption at rest for database storage
- →SOC 2 Type II certification with independent audit
Questions About Security?
We take data protection seriously. Contact us if you have any questions about how we secure your data.